Developer

JWT Decoder

Decode JWT headers and payloads locally without verifying secrets.

All tools

JWT

This decodes only. It does not verify the signature or secret.

Decoded JSON

{
  "header": {
    "alg": "HS256",
    "typ": "JWT"
  },
  "payload": {
    "sub": "tulakito",
    "name": "TULAKITO",
    "iat": 1716163200
  }
}

Frequently asked questions

Is decoding a JWT the same as verifying it?
No, decoding only reads the Base64URL header and payload, which anyone holding the token can do. Verification requires the signing secret or public key to confirm the signature was issued by the expected party.
Why is the JWT payload readable without a password?
JWT bodies are signed, not encrypted, so the claims are intentionally inspectable. Never put passwords or sensitive PII into a JWT payload - use JWE if you need encryption.
What do the iat, exp, and nbf claims mean?
iat is the issued-at time, exp is the expiration time after which the token is invalid, and nbf is the not-before time before which the token should be rejected. All three are Unix timestamps in seconds.